Microsoft Corporation today issued a security bulletin for a "feature" in Internet Explorer 5.0 that security analysts have been complaining about for the past two weeks. At issue is the DHTML (Dynamic HTML) Edit control, an ActiveX control included with IE 5.0 that enables users to edit HTML text directly in the browser. It seems that a malicious Web site operator could trick a user into entering sensitive data into a DHTML Edit control hosted on a Web page from the operator's site, and then upload the data.
The company has issued a fully supported patch that fixes the problem. This patch applies to all users of Internet Explorer 5.0 for Windows and any users of IE 4.0 that downloaded that particular ActiveX control. You can check to see whether you have the control by checking for the existence of the file dhtmled.ocx in the C:\Program Files\Common Files\Microsoft Shared\Triedit\ folder.
You can find the patch for this security bug at the "DHMTL Edit ontrol" Update page on the Microsoft Web site